Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

[SOLVED] Logout using REST fails

mwildam
Champ in-the-making
Champ in-the-making

‎06-12-2009 09:32 AM

In my first attempts to program against Alfresco I managed to get the login working.

For the logout it takes xml instead of json by default - don't know why - anyway how exactly must the xml look like? I tried giving it just the ticket in post parameters.

I always get 403 Forbidden as the http result code.

How should this be done?

(And maybe somebody could answer why some functions want json and some xml - this is a strange mix of formats…)
Labels:
0 Kudos
18 REPLIES 18

mrogers
Star Contributor
Star Contributor

‎06-12-2009 10:45 AM

The logout script does not take any input.

Just a DELETE to /api/login/ticket/{ticket}.
0 Kudos

mwildam
Champ in-the-making
Champ in-the-making

‎06-15-2009 03:41 AM

I did this: 
DELETE http://localhost:8080/alfresco/service/api/login/ticket/TICKET_044c71c492fdc2199d76381718941a769eeea...
first without posting any parameter. I got a 401 response code which means "Unauthorized"
Reading then ( :wink: ) in the documentation (http://wiki.alfresco.com/wiki/Repository_RESTful_API_Reference#Logout) it told me
Requirements:
  • Default Format: xml

  • Authentication: user

  • Transaction: required

  • Format Style: any
So it seems that it requires authentication first (although I cannot understand why because the ticket should be authentication enough).

After your post I tried again, but I get the same response code again - so that simply does not work that way.

The next thing is writing as format "xml" and then for style "any" seems like kidding…

I tried pasting the url 
http://localhost:8080/alfresco/service/api/login/ticket/TICKET_f42700bb5490c9a05b02a15fc7d2fd026f086...
to the browser location and guess what happened: It asked me for a login ?!?

I tried again posting some parameters getting an error that the DELETE command does not support output parameters. So now I do not understand anything of what is going on here. And it is a simple shitty logout…
0 Kudos

mikeh
Star Contributor
Star Contributor

‎06-15-2009 03:59 AM

The API requires authentication, otherwise you could delete any other user's session by sniffing their ticket.

Mike
0 Kudos

mwildam
Champ in-the-making
Champ in-the-making

‎06-15-2009 04:14 AM

The API requires authentication, otherwise you could delete any other user's session by sniffing their ticket.

Shouldn't a https connection be way to avoid sniffing?

In the meantime I found out that you must do a normal http authentication for the logout - but not for the login.
So for login you do not need http authentification but for logout you need.

I cannot understand this logic. And http login without https does not really seem to be a sure-way to avoid sniffing…
0 Kudos

mikeh
Star Contributor
Star Contributor

‎06-15-2009 04:17 AM

Of course, https should be configured if your security policies require it - and there's nothing stopping you configuring that. Obviously you need to apply your own SSL certificate, so it's not something we can ship out-of-the-box.

The logic is sound: if you're trying to login, then you don't need to authenticate because you don't have a session (or ticket) yet. To logout, the server must be certain it's you making the request.

Thanks,
Mike
0 Kudos

t_broyer
Champ in-the-making
Champ in-the-making

‎06-15-2009 04:31 AM

I did this: 
DELETE http://localhost:8080/alfresco/service/api/login/ticket/TICKET_044c71c492fdc2199d76381718941a769eeea...
first without posting any parameter. I got a 401 response code which means "Unauthorized"
Reading then ( :wink: ) in the documentation (http://wiki.alfresco.com/wiki/Repository_RESTful_API_Reference#Logout) it told me
Requirements:
  • Default Format: xml

  • Authentication: user

  • Transaction: required

  • Format Style: any
So it seems that it requires authentication first (although I cannot understand why because the ticket should be authentication enough).

You probably don't want someone else to be able to log you out, do you?

After your post I tried again, but I get the same response code again - so that simply does not work that way.

It's working very well, for me at least.

I tried pasting the url 
http://localhost:8080/alfresco/service/api/login/ticket/TICKET_f42700bb5490c9a05b02a15fc7d2fd026f086...
to the browser location and guess what happened: It asked me for a login ?!?

This webscript will tell you if the ticket is still valid, so obviously you have to be authenticated (moreover authenticated with the same user as the one "attached" to the ticket) or it would be quite easy to use brute force until you find a valid ticket and then use it to authenticate to other webscripts.

I tried again posting some parameters getting an error that the DELETE command does not support output parameters. So now I do not understand anything of what is going on here. And it is a simple shitty logout…

1. you login (using either login.get or login.post) and obtain a ticket
2. you make requests to webscripts using this ticket to authenticate
3. you make a DELETE on /api/login/ticket/<ticket> to logout

…obviously, you can also use HTTP Basic auth; it frees you from steps 1 and 3 but you have to send username/password pair on each request (which means keeping them around…)
0 Kudos

mwildam
Champ in-the-making
Champ in-the-making

‎06-15-2009 04:53 AM

1. you login (using either login.get or login.post) and obtain a ticket
2. you make requests to webscripts using this ticket to authenticate
3. you make a DELETE on /api/login/ticket/<ticket> to logout

…obviously, you can also use HTTP Basic auth; it frees you from steps 1 and 3 but you have to send username/password pair on each request (which means keeping them around…)
Thanks for your explanations.
I tried now using http authentication for login and that did not work.
I still do not find the API (although only looking at login and logout now) following some clear convention. For login I may not use http authentication but for logout I must. Why isn't it enough posting the security token which I should have only and no other person probably having the desire to log me out?

Then we have the login via url parameters that returns XML but using POST it wants and returns JSON. This is confusing (at least for me).

But anyway - I can login and logout now and this is a begin - topic solved.
0 Kudos

mikeh
Star Contributor
Star Contributor

‎06-15-2009 05:11 AM

Then we have the login via url parameters that returns XML but using POST it wants and returns JSON. This is confusing (at least for me).
They support both, but the default is json (have a look at the webscript description http://localhost:8080/alfresco/service/script/org/alfresco/repository/login.post - there are two response templates)

Thanks,
Mike
0 Kudos

bgl
Champ on-the-rise
Champ on-the-rise

‎07-14-2009 06:00 PM

Hello,

sorry to insist on this point but I don't understand how this is working.

The argument of brute force does not really convince me since size of ticket is pretty huge.

Sniffing sounds better but I would just say that if you get the ticket, you can do much more than just logout the user so this argument about authentication and supply your login/password does not seem very good for me. I must miss something. Any lights on this interest me 🙂

My problem is the following : I use restlet library for communicating between my GWT Servlet and Alfresco. When making a call to the URL for logout, I get a 401 error as mwildam raised. And I don't understand what is happening. I need to authenticate according to what I understood in this thread. Do I need to make a new authentication ? then how to use it ?

Here is what I have done : I got a ticket from my server, made some calls in my application and then I want to logout. So I pass the ticket to my GWT servlet which makes this call :

http://localhost:8080/alfresco/service/api/login/ticket/TICKET_36fad5c9f03d97c7f319c0b04216d9bd77a9c...

and I get this in my logs:


14 juil. 2009 14:45:57 com.noelios.restlet.ext.httpclient.HttpClientHelper start
INFO: Starting the HTTP client
14 juil. 2009 14:45:57 org.apache.commons.httpclient.HttpMethodDirector isAuthenticationNeeded
INFO: Authentication requested but doAuthentication is disabled
[DEBUG] Déconnexion échouée. Code erreur : 401

Reading what you said, I would believe that I have to pass some extra parameters as for login and password (so u=login&pw=password).

I miss something but I cannot see what. Anyone can tell me ?

Thank you !
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC